It is essential to understand that SSL and TLS traffic accounts for approximately 30-50% of internet traffic across organizations. Why is this important? Because locking your front door, while leaving the back door open doesn’t help secure your house. Similarly, inspecting unencrypted traffic while letting encrypted traffic pass through your network untouched does little to secure your network. This is where SSL Decryption on a Palo Alto Networks firewall can step in and help lock the back door.
BEFORE YOU BEGIN
1) Important Considerations:
a) Prior to enabling SSL Decryption, users should be informed that there is no expectation of privacy on the corporate network
b) Decryption can cause some applications to break. It is important that testing be done with a sample group prior to enabling SSL decryption across your network.
2) This guide assumes the organization has an internal Microsoft Certificate Services infrastructure in place.
PHASE 1 – CERTIFICATES ON PALO ALTO NETWORKS FIREWALL
1) Log into firewall and navigate to Device > Certificates
2) Click Import
3) Provide certificate name (whatever desired) and root CA certificate file. Click OK.
4) Click Generate
5) Provide your PAN’s subordinate CA certificate name (whatever desired), common name, and change Signed By to External Authority (CSR). Click Generate.
6) Select the box next to your newly generated CSR and click Export. Your browser should prompt you to download a CSR file.
7) Open the CSR file with your preferred text editor and copy the entire contents to your clipboard.
8) Browse to your Microsoft AD Certificate Services server via the url https://servername/certsrv. It may prompt you for credentials. You need to provide AD credentials that have the Enroll permissions to the Subordinate Certification Authority certificate template. If it did not prompt for credentials, it likely used the logged in user’s credentials.
9) Click advanced certificate request.
10) Paste the contents of the CSR from step 7 into the Saved Request box. Ensure the Certificate Template is set to Subordinate Certification Authority and click Submit.
11) Select Base 64 encoded and click Download certificate.
12) Save the file along with your CSR. This file needs to be secured as it holds both the private and public key and can provision certificates on your domains behalf.
It is critical that this file not be compromised and should be deleted once uploaded to the Palo Alto firewall.
13) Click Import.
14) Provide the certificate name used in step 5 and path to the certificate file from step 12. Click OK.
15) You should see the new certificate indented underneath the root CA certificate that was imported earlier. Click the name of the certificate (in this example, PA-200 CA).
16) Check Forward Trust Certificate and Forward Untrust Certificate and click OK.
17) Verify the certificate usage reflects the two roles assigned as pictured below.
18) This completes the certificate portion of the SSL Decryption Implementation
PHASE 2 – SSL DECRYPTION PROFILE AND POLICIES
1) Log into firewall and navigate to Objects > Decryption Profiles. Click Add.
A) Digital Scepter recommends two different Decryption Profiles:
i.IT_Decrypt – Allows access to sites with expired and untrusted certificates. Recommended only if accessing off site resources with untrusted, self-signed certificates. If this is not the case, you can avoid usage of this decryption profile.
ii.User_Decrypt – Blocks access to sites with expired and untrusted certificates. Users do not have the option the usual option to accept these certificates and proceed.
2) Navigate to Policies > Decryption. Click Add.
3) Create a policy as seen in the image below with the following settings:
a) Name Protect Confidential
b) Source Zone Inside
c) Destination Zone Outside
d) URL Category financial-services and health-and-medicine
e) Options No Decrypt
4) Create two more policies as seen in the image below with the following settings:
a) Policy 1
i) Name Decrypt IT Outbound
ii) Source Zone Inside
iii) Source Address and User (Your IT Department Subnet) and (Your IT Department AD Group)
Digital Scepter recommends configuring both of these, but at a minimum the source user should be specified
iv) Destination Zone Outside
v) URL Category any
2) Type SSL Forward Proxy
3) Decryption Profile IT_Decrypt
b) Policy 2
i) Name Decrypt User Outbound
ii) Source Zone Inside
iii) Destination Zone Outside
iv) URL Category any
2) Type SSL Forward Proxy
3) Decryption Profile User_Decrypt
This should leave your firewall configured with three Decryption policies. The first instructs the firewall not to decrypt two URL categories that are deemed safe and confidential: financial-services and health-and-medicine. The second provides outbound decryption for IT staff with the less restrictive decryption profile allowing for expired and untrusted certificates. The third provides outbound decryption for all other users with the more restrictive decryption profile that blocks expired and untrusted certificates.